The widespread transition of data from analog format to digital format has exacerbated problems relating to unauthorized copying and redistribution of protected content. Flawless copies of content can be easily produced and distributed via the Internet or on physical media. This piracy is a major concern and expense for content providers; to this end, industry consortia such as The 4C Entity (<www.4centity.com>) and AACSLA (<www.aacsla.com>) have been formed. These groups are license agencies that provide content protection tools based on Content Protection for Recordable Media (CPRM) and Advanced Access Content System (AACS), respectively. CPRM is a technology developed and licensed by the 4C group, comprising IBM, Intel, Matsushita, and Toshiba, to allow consumers to make authorized copies of commercial entertainment content where the copyright holder for such content has decided to protect it from unauthorized copying. AACS is a follow-on technology for the same purpose, under development by a group comprising IBM, Intel, Matsushita, Toshiba, Sony, Microsoft, Warner Brothers, and Disney.
CPRM and AACS protected files are encrypted with a key that is specific to a Media Identifier on their original storage medium (such as a DVD or CD-ROM etc.), so simply copying the content to another storage medium does not break the protection. CPRM also adds a Media Key Block (MKB) to the medium. The MKB is a file containing a very large number of keys. Each individual compliant device is assigned a set of unique Device Keys that allow it to obtain the Media Key from the MKB, that is then combined with the Media Identifier and other values to derive the keys used to decrypt the protected content. Details of the CPRM and AACS technology are provided in the applications incorporated by reference and are also available from 4C and AACS.
Fundamentally, the AACS protection depends on the interaction between Device Keys and the tree-based Media Key Block, which allows unlimited, precise cryptographic revocation of compromised devices without danger of collateral damage to innocent devices. Because of the inherent power of the revocation of the AACS system, it is possible that attackers may forgo building clones or non-compliant devices and instead devote themselves to attacks where they try to hide the underlying compromised device(s). These attacks are both more expensive and more legally risky for the attackers, because the attacks require them to have an active server serving either content keys or the content itself, on an instance-by-instance basis.
In addition to conventional CD-ROMs and DVDs, a new type of home consumer device for digital content management has been enabled by the advent of inexpensive, large-capacity hard disks. A movie rental box receives digital movies from some inexpensive source of data, usually a broadcast source (whether terrestrial or satellite-based). The movies are stored on the hard disk, so that at any moment the hard disk contains, for example, the hundred hottest movies in the rental market. The consumer selects and plays a particular movie, and the movie rental box periodically calls a clearing center and reports the consumer's content usage for billing purposes; the box may also acquire new decryption keys during this call.
The most serious attack against these new devices is likely to be the so-called “anonymous” attack, wherein a user or a group of users purchase rental movies from legitimate movie rental boxes that have been instrumented so that the protected content and/or the decryption keys can be captured and redistributed, often over the Internet. This attack is the most urgent concern of the movie studios that are investigating content protection technology. One solution to the problem is to differently watermark and differently encrypt each movie for each authorized movie rental box, so that if a movie is pirated, the watermarking and encryption information would uniquely identify the compromised box. Alas, this solution is not feasible because of the excessive computing effort and transmission bandwidth required to prepare and transmit individualized movies. The distribution system is economical only if the movies can be distributed over broadcast channels, i.e. where every receiver gets substantially the same data at the same time.
The approach known in the art as “tracing traitors” may be used to solve the problem. In one particular instance of this approach, an original version of each movie file is augmented before being broadcast. Specifically, the file that is actually broadcast has had at least one critical file segment replaced by a set of segment variations. Each file segment variation is differently encrypted and preferably also differently watermarked prior to encryption, although the entire file may be watermarked as well. All the variations in one segment are identical for viewing purposes though digitally different. A particular receiver is preferably given the cryptographic key to decrypt only one of the variations in each segment. All legitimate receivers with valid decryption keys can play the content, but probably through different segment combinations. If the receiver is compromised and is used to illegally rebroadcast either the keys or the segments themselves, it is possible to deduce which receiver or receivers have been compromised.
The tracing traitors approach has not been widely used in practice to date because previous implementations required unreasonable amounts of bandwidth in the broadcast, due to the number of segments or variations required. However, U.S. Ser. No. 10/315,395, filed Dec. 9, 2002, entitled “Method for Tracing Traitors and Preventing Piracy of Digital Content in a Broadcast Encryption System” teaches a method of distributing protected content that combats piracy and enables identification and revocation of compromised receivers in a broadcast encryption system without excessive transmission bandwidth.
To recap, whether dealing with DVDs or set-top boxes or other distribution means, a traitor tracing scheme has two basic steps: assigning the keys to receiver devices to enable tracing, and then identifying the traitors for revocation. Efficient traitor tracing technologies directed to both these steps enable a license agency to more quickly identify traitors and to prevent piracy even by larger groups of colluding traitors.
However, what happens after a traitor has been identified and a particular compromised key or set of keys is revoked? The prior art is silent as to the aftermath of a single tracing and revocation. What if a traitor repeats the attack and additional content is pirated, and/or a new key or set of keys is compromised? A system is needed that allows innocent receiver devices to still calculate a correct cryptographic answer needed to allow content to be used, while at the same time preventing traitor devices from getting to such an answer.